Experts say more work needed on cybersecurity in public and private sectors

As the Trump administration works to implement President Donald Trump’s executive order to improve the nation’s cybersecurity, a spear-phishing incident involving his own aides and relatives and a high-profile hack at HBO are providing fresh evidence of the continued vulnerabilities in the public and private sector.

The simple spear-phishing emails sent to White House officials tricked them into believing they were communicating with colleagues, with some engaging in several email exchanges with the UK-based prankster without realizing what happened.

Several senior officials were duped by the prank, including Reince Priebus, Anthony Scaramucci, and designated Ambassador to Russia Jon Huntsman. Top cybersecurity adviser Tom Bossert was so convinced he was talking to Jared Kushner that he volunteered his personal email address unsolicited.

“The most disconcerting aspect of this story is the fact that Tom Bossert is the White House's Homeland Security Advisor who also handles cybersecurity matters,” said Scott Schober, president and CEO of Berkeley Varitronics Systems, who has written a book about his own mistakes when his business was hacked. “Cybersecurity experts are targeted by hackers because of what they know or who they are. The latter reason is primarily tied to the hacker’s ego and status on the hacking community.”

The prankster told CNN he had no ill intent with his emails. Hackers who targeted HBO recently appear to be somewhat more malevolent.

The premium cable network revealed Monday that its proprietary information had been compromised in a “cyber incident.” Hackers claimed to have stolen 1.5 terabytes of data, posting upcoming episodes of original series and details of the next episode of “Game of Thrones” online.

This follows a similar incident in April, when a hacker targeted Netflix and released episodes of “Orange Is the New Black” weeks before its season premiere.

Both cases pale in comparison to a massive cyber-attack Sony Pictures suffered in November 2014, believed to have been sponsored by North Korea. However, they do underscore the ongoing threat of cyber intrusions that experts say private businesses and the federal government must take seriously.

Although Trump’s pronouncements on cybersecurity during the campaign were often extremely vague, an executive order issued in May laid out some of the administration’s priorities. The “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” signed by Trump on May 11 requests reports from various offices and agencies about the country’s cybersecurity capabilities.

Deadlines for the reports vary, with some due in the next few weeks and others expected up to 240 days after the signing. The secretaries of energy and homeland security were directed to produce a report within 90 days on the consequences of a “prolonged power outage associated with a significant cyber incident.”

Before inauguration, the Trump transition announced former New York City Mayor Rudy Giuliani would chair a task force on cybersecurity issues. Giuliani told reporters at the time that the capabilities of modern technology have outpaced the ability to defend it.

"The president-elect is very much aware of this, it’s something he talked about quite a bit during the campaign, and what he wants to make sure is we now spend time having our defense, our cyber-defense, catch up to our offense,” he said. “We need that in the private sector, we need that in government. Many of the solutions to it, and many of the problems, are in the private sector."

In a March interview with Reuters, Giuliani said the Trump administration may issue “fairly loose” regulations on cybersecurity to help companies prevent breaches.

"There will be a federal standard coming," he said.

Giuliani reportedly briefed some cyber executives on his plans for the task force early on. Thomas Gann, vice president for public policy at McAfee, told reporters in April that the team was still working out its organizational structure, but it planned to address information-sharing between companies and the government and protection of critical infrastructure.

Not much has been said on the record since then. At a May press briefing on Trump’s executive order, Bossert thanked Giuliani for “the advice he’s given to me and to the president and to others as we formulate this thinking.”

In June, Trump met with Giuliani and representatives of the energy sector to discuss cyber threats to the power grid and other infrastructure.

“In the meeting, the leaders discussed unique challenges the sector faces and strategic initiatives, both underway and proposed, to address the evolution of malicious cyber activity,” the White House stated in a readout of the meeting, noting a continued focus on public/private partnerships.

Giuliani’s law office did not respond to a request for comment on his cyber efforts Tuesday.

Some experts say Trump’s executive order is an early sign that the administration is steering the government in the right direction on cybersecurity. Schober said it builds on policies established by the Obama administration in the wake of the 2015 hack of the Office of Personnel Management.

“The key area that I and other cybersecurity experts applaud is the federal government's recognition that there needs to be more sharing of information between the government and the private sector,” he said. “There is an ongoing push for standardization between cloud architecture and infrastructure which is also encouraging to see.”

According to Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center on International Security, the order reflects an increased awareness of cybersecurity issues on the federal level. In particular, he appreciates the acknowledgment of the dangers posed by outdated devices and systems.

“They recognize the need to have healthy IT and software that’s not past its expiration date, so to speak.... Software rots, it ages like milk, not like wine,” he said.

Others worry that ordering more reports is not much of a step forward.

“The executive order was basically a plan for a plan,” said Daniel Castro, vice president of the Information Technology and Innovation Foundation. “It didn’t have much within it saying what they were going to do.”

The spear-phishing pranks targeting the White House were ultimately harmless, but they signal a disturbing lack of cyber-hygiene in the ease with which top officials appear to have been tricked.

“This is the type of problem where real-world training is one of the few viable solutions,” Castro said.

Frank Cillufo, director of the Center for Cyber and Homeland Security at George Washington University, said this type of phishing scam is responsible for the majority of data breaches, so there should be more awareness of it. As defenses and cybersecurity training grow more sophisticated, though, so do the tactics used by hackers.

“We still need to do a whole lot more to educate not only the cybersecurity experts but also the general workforce,” he said.

The real cybersecurity threats that concern experts are not prank emails and leaked episodes of “Ballers.” They are attacks on power grids, air traffic control, hospitals, and other critical institutions that keep people alive and keep the country running.

In late 2015, Russia-based hackers used malware to shut down Ukraine’s power grid. In October 2016, the largest distributed denial-of-service attack in history impacted dozens of the most popular U.S. internet sites. In May 2017, ransomware infected 230,000 computers worldwide and essentially hobbled Britain’s National Health Service.

“Prior to 2016, most consequences of failure were acceptable…. Last year challenged our frame that this is mostly financial criminals looking for replaceable data,” Corman said. The stakes of cyber-attacks will only continue to rise as society becomes more reliant on connected devices and internet-of-things products become more prevalent.

“We have become over-dependent on undependable things,” he said.

Any device with software can be hacked, and no security can realistically prevent every conceivable attack.

“Just because you want to put software in everything, it doesn’t mean it’s sound or prudent, and it can affect your privacy, your safety and even national security,” Corman said.

He served on a task force for the Department of Health and Human Services examining cybersecurity in the health care industry. HHS published a 96-page report in June detailing the somewhat terrifying weaknesses in the system they uncovered and recommendations to improve them.

“Health care cybersecurity is in critical condition,” the report states.

While Corman believes the political will to take action over the unreliability of connected software is growing, he also noted the vast disparity between public and private spending on cyber-defenses. The National Security Agency’s cyber budget is not public, but the Department of Homeland Security spends less than $1 billion annually. The private sector spends $80 billion per year on security products.

When it comes to individual companies targeted in individual attacks of unknown origins, Castro said the government can help with aggressive enforcement and prosecution, but businesses ultimately have to defend themselves.

“I don’t think that in general the federal government can solve some of these one-off problems,” he said.

If a company shirks that responsibility, they typically learn quickly after they are attacked and secure their systems against future breaches.

“Companies are finally starting to realize if they don’t take hacking seriously, they will become victims themselves,” Schober said. “When a company is hacked, it not only affects their day to day business, but also their customers, their brand value, their shareholders, and of course their bottom line.”

The National Institute of Standards and Technology has developed a framework for improving cybersecurity, and Trump’s executive order required many federal agencies to comply with it. The voluntary guidelines are intended to help organizations manage and reduce risks, but NIST emphasizes that different organizations have unique vulnerabilities that must be considered and this is not a one-size-fits-all approach.

“If you’re waiting for the government to come down with a magic wand and provide the solutions, you’re doomed to failure,” Cillufo said.